MyFitnessPal data breach exposes email addresses, passwords of 150M accounts

in General Discussion edited March 2018
Under Armour's popular health and nutrition app and corresponding website MyFitnessPal was hit with a security breach in February that exposed the usernames, email addresses and passwords of about 150 million users, the company said on Thursday.

Under Armour began notifying users affected by the issue today via email and in-app notifications, according to a press release. Along with standard security recommendations, Under Armour will require users to reset their passwords in the near future.

The fitness firm said it discovered evidence of the breach on March 25, saying a third party gained unauthorized access to approximately 150 million user accounts in late February. A subsequent investigation into the matter suggests the nefarious actor or actors made off with information including usernames, email addresses and passwords, many of which were secured with the bcrypt hashing function.

Not included in the data stash was government-issued identifiers like Social Security numbers and driver's license data, as MyFitnessPal does not collect such information from its customers. Payment data was also not affected since the firm collects and processes those particulars separately.

Under Armour said it is working with data security firms in the ongoing investigation. Whether the breach impacted the company's other digital brands, including running and cycling tracker Endomondo and Map My Run, is unknown at this time.

One of the oldest apps on the iOS App Store, MyFitnessPal is an immensely popular calorie and activity monitoring tool that has garnered millions of users over 13 years of service. The title consistently maintains a spot in Apple's top charts for free Health & Fitness apps, and sits in the No. 2 position as of this writing.

Under Armour purchased MyFitnessPal in 2015 in a deal worth $475 million. At the time, reports indicated the app boasted 80 million registered users.


  • Reply 1 of 11
    No response from them yet.
  • Reply 2 of 11
    appleric said:
    No response from them yet.
    Same with me. But just to be safe, I changed my password.
  • Reply 3 of 11
    StrangeDaysStrangeDays Posts: 12,669member
    Greeaaaat...this one predated my use of the safari password generator feature. 
  • Reply 4 of 11
    netroxnetrox Posts: 1,397member
    Ok, why are so many companies having their data breached? Don't they follow protocols? Do they implement pattern algorithms that can detect if the data is illegally used? This really makes no sense. A company should be alerted if there's an unusual large volume of personal data being transmitted. Something is really fishy with those companies having their large volume of user data breached to a few people. 

  • Reply 5 of 11
    foggyhillfoggyhill Posts: 4,767member

    If they use bcrypt and did not use common password or very short ones, people are mostly ok I beleive, but for common passwords,  they can deduce the hash by just doing a forward hash with the salt and sea if it matches the common ones, and then try it on other sites were you use the user name with the same password, like facebook, etc.

    That's why it's not a good idea to use short idiotic passwords and reuse passwords, essentially on things that are used to log into other sites (like fb and google) and site that are critical (banking, etc).

    edited March 2018
  • Reply 6 of 11
    Greeaaaat...this one predated my use of the safari password generator feature. 
    Good time to fix that then isn’t it. 😉
  • Reply 7 of 11
    SpamSandwichSpamSandwich Posts: 33,407member
    I’m shocked this app has 150 million users.
  • Reply 8 of 11
    "Not included in the data stash was government-issued identifiers like Social Security numbers and driver's license data, as MyFitnessPal does not collect such information from its customers." ...also not included are passport numbers, banking PINs, mother's maiden name. Wow, I feel better now! /s
  • Reply 9 of 11
    MacProMacPro Posts: 19,665member
    In theory most data beaches should only expose a user name or email address and password used for that specific account plus address details but it is astounding how many people I talk to when asked to fill in an email and user password to join a web site's user account, use their actual Apple email password not realizing they are supposed to be creating a password solely for this web site.  Thus I bet the vast majority of user account breaches actually reveal the Apple email user name and Apple email password and that's often the Apple ID information too, all exposed totally unnecessarily.
    edited March 2018 watto_cobra
  • Reply 10 of 11
    larryjwlarryjw Posts: 1,025member
    Businesses need to use something other than an email address for the login. Even if the password cannot be discovered, a hacker use the email to send email blasts. Seems also that every email should be encrypted. It may take a little more horsepower to decrypt the email when sending out notices, but that’s the price that should be paid. 
  • Reply 11 of 11
    If the data breach really happen (only if), so who is going to get the data and utilize it? insurance company? private hospital? ads provider? then suddenly we got a random ads appear on our phone telling to get this product and that product based on retargeting ads
Sign In or Register to comment.